This article is part of a series describing how to leverage Group Policy Software Installation to install SEP. All automatically and without touching SEPM when you deploy a computer.
GPO Installs and SEP, Part 1
How to leverage Group Policy Software Installation to install SEP Clients.
GPO Installs and SEP, Part 2
How to turn GPO-installed SEP Clients into Managed Clients and assign them to the correct Group. Even if you don’t use GPO installs, this article makes your SEP installation more robust.
GPO Installs and SEP, Part 3
How to comply with Symantec’s supported upgrade path for MP installations.
What is a Transform?
A Transform (*.MST) file allows you to collect installation options for programs that use the Microsoft Windows Installer in a file. They can be used on the Installer (MSIEXEC.EXE) command line, or used in a software installation Group Policy in a Microsoft Active Directory domain.
How can they help me with SEP?
For Symantec Endpoint Protection (SEP), I have found MSTs most useful for controlling the features installed on SEP clients. As a bonus, when SEP is installed using MST files, it is no longer possible to install or remove individual components using Add or Remove Programs in Control Panel. This is a bonus for controlling configuration of a managed system.
How do I create one?
We will use Orca, a free utility from Microsoft, to generate the Transform. This Microsoft Knowledge Base article tells you how to obtain and install Orca:
- Launch Orca, click File/Open, navigate to the SEP *.MSI file and click Open. For current versions of SEP, the filenames are Symantec Antivirus.msi and Symantec Antivirus Win64.msi.
- In the Tables pane, click Property.
- Click Tables/Add Row. The Add Row dialog box opens.
- Click the Property row and enter ADDLOCAL.
- Type the names of the Features you want included in this installation, separated by commas. (See below.)
- Click OK.
- Click Transform/Generate Transform and save the MST file with a descriptive name. I use the names of the features included in the Transform as the filename.
What are the SEP features, and how do I specify them?
They are listed in the Installation Guide together with their dependencies. In the version of the Installation Guide current at this writing, (as included in SEP 11.0 MR4 MP2), they appear in Appendix A in a section entitled “Client installation features and properties.”
Use that as a guide for specifying features--except--contrary to the documentation, be aware there is no feature named “ÉmailTools”. If you include EmailTools in the list, your MST will not work. This may be relevant for using SETAID.INI, but it does not apply to the MST.
For example, to install Antivirus/Antispyware, Proactive Threat Protection, Outlook E-mail snap-in and POP/SMTP e-mail snap-in, you would type this:
How do I use the MST?
Detailed discussion is beyond the scope of this article, but assuming basic familiarity with the MSIEXEC command line and Group Policy software installations, here is what you do:
On the command line
MSIEXEC Symantec Antivirus.msi TRANSFORMS=MyTransform.mst
In a Group Policy Object
1. Create a new Software Installation Package in the Computer Settings node of Group Policy Object Editor.
2. Select the SEP MSI file, and then click Advanced. (This is the ONLY opportunity you will have to apply a Transform to this Package.)
3. On the Modifications tab, click Add and select the MST file you created.
Can I put x86 and x64 Packages in the same GPO?
Nothing wrong with that. On the Deployment
tab of the x86 Package, click Advanced
and turn off Make this 32-bit X86 application available to Win64 machines
. Even if you forget, the x86 version won't install, but it will waste a minute or two during every bootup trying. At this writing, some SEP features are not supported on x64, so you'll likely need to use different MST files for the x64 product.
This installs an unmanaged SEP client. How do I make it managed?
This companion article shows you how to use Startup Scripts to drop an appropriate SYLINK.XML file on each client. It has the added benefit that your SEP installation will be more robust, because you can ensure that clients will always be able to find a SEPM without any action from you, even in situations Symantec has not anticipated.
How do I meet Symantec's requirements for installing MPs only over their corresponding MRs with GPO installs?
An upcoming article discusses this very issue.
Can you share the MSTs you've used, to save us some time?